280 likes | 572 Views
Practical DIACAP Implementation. CS526 Research Project by Michael J. Cohen 4/29/2009. Agenda. Research Objectives The Global Information Grid Introduction to DIACAP The Process The DIACAP Package Findings. Research Objectives.
E N D
Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009 Michael J. Cohen
Agenda • Research Objectives • The Global Information Grid • Introduction to DIACAP • The Process • The DIACAP Package • Findings Michael J. Cohen
Research Objectives • Assist Boeing with instruction for new Information Assurance Professionals on what DoDI 8500.1 (DIACAP) is and how it is applied. • Use a sample architecture provided by Boeing to demonstrate the implementation of DIACAP. Michael J. Cohen
Related Research • Hurkute S., Bele K., Nam, S., et. al. 2007. “Apply DITSCAP to Evaluate a PTC based Secure E-Voting System”. • Retrieved from http://cs.uccs.edu/~cs591/studentproj/projS2007/shurkute/doc/E-votingDITSCAPProject.ppt • Wilson, B., 2007. “Move Over DITSCAP…The DIACAP is Here!”. • Retrieved from http://cs.uccs.edu/~cs591/studentproj/projS2007/bwilson3/doc/DIACAPClassPresentation.ppt Michael J. Cohen
The Global Information Grid “The Global Information Grid1 (GIG) consists of information capabilities – information, information technology (IT), and associated people and processes that support Department of Defense (DoD) personnel and organizations in accomplishing their tasks and missions – that enable the access to, exchange, and use of information and services throughout the Department and with non-DoD mission partners. The principal function of the GIG is to support and enable DoD missions, functions, and operations. Therefore, the way that DoD warfighters, business and intelligence personnel operate must drive the way the GIG is designed, developed, acquired, implemented, and operated.” -The DoD Global Information Grid Architectural Vision (2007) Michael J. Cohen
DoD Global Information Grid • Examples of DoD Systems include: • Joint Tactical Radio System (JTRS) • Warfighter Information Network Tactical (WIN-T) • Intelligence Community System for Information Sharing (ICSIS) • What do these systems have in common? • They must not be compromised in terms of: • Confidentiality • Integrity • Availability • Information Assurance is an understandable concern. Michael J. Cohen
DIACAP • Department of Defense (DoD) • Information • Assurance • Certification and • Accreditation • Process • This process ensures that a DoD information system meet the appropriate security policies throughout its entire lifecycle. Michael J. Cohen
Why is a process necessary? • Defines the steps necessary to implement the security policies. • Guarantees that security requirements are implemented consistently throughout the system. • Creates a paper trail. Michael J. Cohen
3 Components Needed for Implementation • The DIACAP Process • DIACAP Knowledge Service • Online knowledge base maintained by the DoD that contains the most current information on IA controls. • Automated C&A Tool that automates workflow • DoD recommends eMASS (Enterprise Mission Assurance Support Service) • Boeing uses the I-Assure DIACAP Toolset Michael J. Cohen
The DIACAP Process Michael J. Cohen
Tasks for Initiating and Planning IA C&A • Registering the System • System is registered with the DoD • Confidentiality level is defined • Assigning IA Controls • Security requirements are defined based on the level of mission criticality (MAC level) and confidentiality • Assembling the DIACAP Team • Initiating the Implementation Plan Michael J. Cohen
DIACAP Implementation Team Roles • Designated Accrediting Authority (DAA) • Signs off on Accreditation status • Ultimately responsible for the system • Certifying Authority (CA) • Makes the certification recommendation • Oversees those performing the evaluation • Information Assurance Officer (IAO) • Ensures that appropriate security is maintained on the system • Information Assurance Manager (IAM) • Coordinates and supports the missions of the other team members • Technical Lead Michael J. Cohen
DIACAP Implementation Roles (cont.) • Program Manager / System Manger (PM/SM) • Manages Implementation • User Rep • Represents the user community to ensure that user needs of the system are met Michael J. Cohen
Tasks for Implementing & Validating IA Controls • Executing the Implementation Plan • Conduct validation • Prepare POA&M (if necessary) • Enter results into DIACAP Scorecard Michael J. Cohen
Tasks for Certification & Accreditation Determination • The CA makes a certification determination • Based on actual results of the implementation and testing of IA controls • The DAA issues an accreditation decision • Based on the CA’s recommendation along with the mission and business need. • DAA’s decision can be one of the following: • Authorization to Operate (ATO) • Interim Authorization to Operate (IATO) • Interim Authorization to Test (IATT) • Denial of Authorization to Operate (DATO) • All systems must be reaccredited every 3 years Michael J. Cohen
Tasks for Maintaining Authorization to Operate • Managed by IAM • Maintaining situational awareness • Maintaining security • Initiate corrective action when necessary • Conduct annual reviews of IA controls Michael J. Cohen
Tasks for Decommissioning • Make sure there are no negative impacts to other systems • Update the SIP • Remove and dispose of POA&M and DIACAP scorecard from all tracking systems • Retire system according to the appropriate requirements and procedures Michael J. Cohen
DIACAP Package • Generated through the implementation of the DIACAP process. • Comprehensive Package Contents: • System Identification Profile (SIP) • DIACAP Implementation Plan (DIP) • DIACAP Scorecard • IT Security Plan of Action & Milestones (POA&M) (Optional) • Supporting Certification Documentation Michael J. Cohen
Sample Architecture Michael J. Cohen
System Identification Profile (SIP) Michael J. Cohen
DIACAP Implementation Plan (DIP) Michael J. Cohen
DIACAP Scorecard Michael J. Cohen
DIACAP POA&M Michael J. Cohen
Findings • The project was not as simple as simply running the I-Assure tool to generate the deliverables. • There is not a lot of documentation online regarding DIACAP. Michael J. Cohen
Conclusion • The following was learned from this research project: • The DIACAP methodology. • The usage of a third party tool (I-Assure) tool in implementing DIACAP. Michael J. Cohen
References • Cooper, Ronald. Boeing Mentor. • http://www.i-assure.com • Department of Defense. (2009). DIACAP Training Module. DoD Information Assurance Support Environment.Retrieved from http://iase.disa.mil/eta/diacap/index.htm Michael J. Cohen